Lyftâs open source asset tracking tool simplifies security
Lyft, the ride-sharing company, has released an open source tool called Cartography that helps organizations track and manage their digital assets. Cartography is a graph-based tool that collects data from various sources, such as AWS, GCP, GitHub, and Okta, and maps the relationships between assets, such as servers, databases, applications, users, and roles. By visualizing the asset inventory and dependencies, Cartography enables security teams to identify risks, gaps, and misconfigurations in their environments.
According to Lyft, Cartography was born out of the need to automate and scale the security assessment process for its rapidly growing cloud infrastructure. The tool allows security engineers to write queries in Cypher, a graph query language, to answer questions such as \"Which EC2 instances have public IPs\" or \"Which users have access to this S3 bucket\". Cartography also supports adding custom data sources and enriching the graph with additional attributes and labels.
Cartography is not the first tool to use graphs for asset management and security. Other tools, such as BloodHound, Neo4j, and Grapl, also leverage graph databases and queries to analyze complex systems and detect threats. However, Cartography stands out for its focus on cloud-native environments and its integration with popular services and platforms. Cartography is also designed to be easy to deploy and maintain, as it runs as a Docker container and uses AWS Lambda functions to fetch data.
Lyft has made Cartography available on GitHub under the Apache 2.0 license. The company hopes that by sharing its tool with the open source community, it can benefit from feedback, contributions, and collaboration. Lyft also invites other organizations to use Cartography to simplify their security operations and improve their visibility into their digital assets.
One of the use cases of Cartography is to automate the security review process for new applications and services. Lyft has developed a framework called Security Review as Code (SRaaC) that uses Cartography to evaluate the security posture of a service based on predefined criteria and best practices. SRaaC generates a security scorecard for each service and provides recommendations and feedback to the developers. This way, security issues can be detected and fixed early in the development lifecycle, reducing the need for manual audits and reviews.
Another use case of Cartography is to monitor and alert on changes and anomalies in the asset inventory. Lyft has integrated Cartography with its internal alerting system, which sends notifications to the relevant teams when a change or an event occurs that affects the security or compliance of an asset. For example, if a new IAM role is created or a firewall rule is modified, Cartography can detect the change and trigger an alert. This helps security teams to stay on top of their environments and respond quickly to incidents.
Cartography is not only useful for security teams, but also for other stakeholders who need to understand and manage their digital assets. For instance, engineering teams can use Cartography to optimize their resource utilization and performance, while finance teams can use it to track and control their cloud spending. Cartography can also help with governance and compliance, as it can provide evidence and documentation for audits and regulations. aa16f39245